在ASPX应用pre-验证用户 [英] pre-authenticate user in aspx application
问题描述
我们有两个应用,一个是和的NodeJS其他的ASPX。结果
登录页面中的NodeJS。我需要的是创建一个会话和验证我从登录页面的aspx应用程序用户在ASPX应用程序后的导航。
搜索结果
作为Web开发的小白,我不知道从哪里开始或者什么搜索。
搜索结果
在此先感谢
We have 2 application, one is in Nodejs and the other in aspx.
The login page is in Nodejs. What I need is to create a session and authenticate my user in aspx application from the login page for later navigation in the aspx app.
Being a noob in web development, I have no clue where to start or what to search.
Thanks in advance
推荐答案
因此,有几种方法我能想到的要做到这一点,根据您目前的意图为做你正在做什么应用程序和理由。我会尝试,并与一些亲的和利弊列出每一个在这里。我再说一遍,没有什么是我会考虑便于新的Web开发;有没有人在你的团队有一个或两个技术的经验?
So there's several ways I can think of to do this, depending on your current intent for both applications and reasons for doing what you're doing. I'll try and list each here with some pro's and cons. I'll say again that none are what I'd consider easy for a new web developer; are there others on your team that have experience in one or both technologies?
1)也许是最简单的选项,如果你能做到这一点是有Node.js的过程是网关。 ASP.NET应用程序无需对用户的所有认证,Node.js的应用程序作为一个完整的逆向代理的ASP.NET应用程序。这种运作良好,如果你能支持它,你可以通过让Node.js的应用程序登录到ASP.Net应用程序将其固定(通过任何方法你想;基本身份验证,登录方式,等等)。如果您需要ASP.Net应用程序需要注意的是在目前情况下有什么用户,那么你可以把你需要到请求头信息的任何这样做的(例如,如果它们共享同一个数据库,你coudl放在标识该节点的应用程序已经验证的用户)。如果你想在ASP.NET应用程序将自身以及通过该节点的应用程序访问,则节点应用成为众多用户之一,并在asp.net应用程序需要一个HTTP模块,以标准化的用户信息是否是来自Session或从HTTP标头。要做到这一点,最简单的方法是让HTTP模块检查当前用户是一个给定的角色(如NodeApp),并登录,然后要么复制从HttpContext的用户信息到一个新的Session变量(该应用程序的其余部分使用),否则,查找在DB代理的用户,并做了同样的。基本上,应用程序的其余部分将永远不会信任的HttpContext的当前用户在这一点上做出决定。
1) Probably the simplest option, if you can do it is to have the Node.js process be the gateway. The ASP.NET application never needs to authenticate the users at all, the Node.js app acts as a full-on reverse proxy to the ASP.NET app. This works well if you can support it, and you can secure it by having the Node.js application login to the ASP.Net app (via whatever method you want; basic auth, forms login, whatever). If you need the ASP.Net app to be aware of what user is in the current context, then you can push whatever info you need into the request headers to do so (e.g. if they share the same database, you coudl put in the Id of the user that the node app has authenticated). If you wanted the ASP.NET app to be accessible on its own as well as via the node app, then the node app becomes one of many users and the asp.net app needs a HTTP Module to normalize whether the user info is coming from Session or from the Http headers. The easiest way to do this is to have the Http Module check that the current user is of a given role (e.g. NodeApp) and is logged in, and then it either copies the user information from the HttpContext into a new Session variable (that the rest of the app uses), or else looks up the proxied user in the DB and does the same. Basically, the rest of the app will never trust the HttpContext's current user for making decisions at that point.
Pro的:合理的结构简单,不依赖于每个应用程序是在什么领域。这两个应用程序需要访问用户数据库为它工作得很好。
Pro's: reasonably simple architecture, does not depend on what domain each app is on. Both apps need access to the user DB for it to work well.
刀豆的:如果由于某种原因该应用无法访问该同一用户分贝它也没有那么好。还有一些开销做代理(不多,但还是有的)。还有一点左右脑无论你是在谈论'真正的'用户或你必须保持直'节点'用户的弯曲。
Con's: If for some reason the apps can't have access to the same user db it isn't as good. There's some overhead for doing the proxy (not much, but still there). There's a bit of brain bending around whether you're talking about the 'real' user or the 'node' user that you have to keep straight.
2)的OAuth(或备选的OpenID)是最符合标准的选项。在这种情况下,你会设置Node.js的应用为OAuth提供者和有ASP.NET应用程序是一个OAuth用户。然后,用户可以使用其节点的用户名和密码登录,并有节点应用通过现有的认证模块传递一个身份验证令牌给ASP.NET应用程序。
2) OAuth (or alternatively OpenID) is the most standards-compliant option. In this case, you'd setup the Node.js app as an OAuth provider and have the ASP.NET app be an OAuth consumer. The user can then use their Node username and password to login, and have the Node app pass an auth token to the ASP.NET app via existing authentication modules.
Pro的:少code,以在ASP.NET侧写比上面的例子中,符合标准。你可以切换出(或增加)的OAuth提供者,如果你想以后
Pro's: Less code to write on the ASP.NET side than the above example, standards compliant. you could switch out (or add) OAuth providers if you wanted to later
反对的:一个用户有点间接(在应用程序之间重定向)。这或许可以被最小化,但你必须非常熟悉的OAuth协议。
Con's: A bit more indirection for the user (redirects between the apps). This can probably be minimized, but you'll need to be very familiar with the OAuth protocols.
3)会话共享(考虑会话劫持当其他人做给你。)。如果你是在同一个域,那么Node.js的应用程序可以简单地写了ASP.NET会话和权威性饼干像ASP.NET会。我说'只是',但有很多,你需要了解做是正确的ASP.NET机器的详细信息。 http://support.microsoft.com/kb/910443 。主要位是你需要把你的ASP.NET会话存储在数据库中,然后让Node.js的管理从那里元素的添加和删除,这样,当ASP.NET去寻找在会议和放大器;在给定的请求权威性的cookie,它可以在它希望找到它们,然后ASP.NET进程将在那里找到他们,并据此采取行动的地方找到他们。
3) Session sharing (considered session hijacking if someone else is doing it to you. . . ). If you're on the same domain, then the Node.js app can simply write out the ASP.NET session and auth cookies like ASP.NET would. I say 'simply', but there's a lot of details of the ASP.NET machinery that you'll need to understand to do it right. http://support.microsoft.com/kb/910443 . The main bits are that you'd need to put your ASP.NET Session Store in a database, and then have Node.js manage the addition and removal of elements from there so that when ASP.NET goes looking at the session & auth cookies on a given request, it can find them in the place it expects to find them and then the ASP.NET process would find them there and act accordingly.
Pro的:使用ASP.NEt机械这是已经到位在一定程度上
反对的:大概pretty脆弱的,所有的事情考虑。您的Node.js应用程序将需要访问的machineKey的ASP.NEt应用程序将使用解密会话内容。你需要确保你使用相同的加密算法和应用程序都将被连接到同一个会话存储。
Pro's: Uses the ASP.NEt machinery that's already in place to some degree Con's: Probably pretty fragile, all things considered. Your node.js app would need access to the machineKey that the ASP.NEt app is going to use to decrypt the session contents. You'll need to make sure you're using the same encryption algorithm and both apps would be coupled to the same session store.
4)滚你自己的ASP.NET成员资格提供程序发出一个窗体身份验证票证到节点的应用程序。这有点类似于混合的1和3。在此选项中,节点的应用程序,验证用户后,将发送另一个请求到ASP.Net服务器上登录的端点,提供全权证书标识自己的身份不过你想要的(如:这在某种程度上被加密的密钥)。它也可以提供你想要的任何用户详细信息。然后,您可以手动调用窗体身份验证API在ASP.NET code创建为最终用户(的http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx)即没有自己计算它;会话存储可以在任何地方对Node.js的应用程序的响应将包括身份验证cookie中的数据门票等你的Node.js应用程序通过管道将数据返回给用户,这样,下一次它们对aSP.nEt应用程序的请求,他们将不得不通过asp.net产生一个有效的身份验证cookie中。
4) Roll your own membership provider in ASP.NET to issue a Forms Auth ticket to the Node app. This is somewhat similar to a blend of 1 and 3. In this option, the Node app, after authenticating the user, would send another request to a Login endpoint on the ASP.Net server, providing it credentials identifying itself however you want (e.g. a shared key that's been encrypted in some way). It could also provide any user details you want. You could then manually call the Forms Authentication api in your ASP.NET code to create a ticket for the end user (http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx) i.e. no calculating it yourself; session store can be anywhere. The response to the Node.js app will include the ticket data in the auth cookie and so your Node.js app can pipe that data back to your user, so that the next time they make a request to the ASP.nEt app, they'll have a valid auth cookie generated by asp.net.
Pro的:比#3,从ASP.NET的角度来看用户mungery比1少更灵活。
反对的:仍然需要在同一个域这两个应用,仍然需要大量的两者之间的整合。如果你搞砸了你的会员资格供应商,你可能会意外地在您的安全建立了一个洞。
Pro's: More flexible than #3 and less user mungery than #1 from the ASP.NET perspective. Con's: Still requires both apps on the same domain, still requires a lot of integration between the two. If you screw up your Membership provider you could accidentally create a hole in your security.
总的来说,我认为OAuth的解决方案是最好的,但这些都是我能想到的这样做的方法。
Overall, I think the OAuth solution is the best one, but those are all the methods I can think of to do it.
这篇关于在ASPX应用pre-验证用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
